Pwn’t: Okta

//From the desk of Colton Sumners

So, the Okta hack is a… curious one, isn’t it? The breakdown occurred in a spot in the chain where there was least amount of control and where everyone always fears a compromise is going to occur. It’s easy to sleep at night knowing we have our own house’s tidy, but what about those of trusted partners?

So, basically, Okta subcontracts some of its customer support. One those companies they outsource to is the Sitel Group. On January 21, an Okta security team member received an alert that a new MFA factor was added to a Sitel Group employee account from a new location.

The “new location” piece is what I am assuming sparked an investigation that revealed that a Sitel support engineer’s computer was compromised using a remote desktop protocol. This known vulnerability is normally disabled except when specifically needed — which helped Okta investigators narrow the timeframe for the attack to a five-day window between Jan. 16-21, 2022.

At the end of the day, the impact on Okta customers has been minimal. Due to the limited access support engineers have to Okta’s system, they cannot create or delete users or download customer databases. Their access to customer data is quite limited as well. However, the criticisms of Okta’s response has been harsh as, at the beginning, they didn’t yet know how many of its customers were affected and the fact the company waited nearly two months to make the breach public. The impact on Okta’s value has been obvious: Investors shaved about $6 billion off the company’s market cap during the week the hack was made public and the event has been widely reported, bruising their reputation in their SaaS space.

I think it’s worth taking a step back and shining a light on how this occurred again: a third party contractor got popped which lead to access to Okta’s sensitive data. Crappy. Really, really crappy.

As of now, it is estimated that around 2.5 percent of Okta’s customers may have been affected — but, services “… remain fully operational.” And an important take away is that Okta’s chief security officer David Bradbury has stated, “We have identified those customers [that had data exposed] and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email.”

more insights